Security of wireless networks such as a 3rd generation project partnership (3GPP) wireless network, a worldwide interoperability for microwave access (WiMAX) wireless network, and a 3rd generation project partnership 2 (3GPP2) wireless network may be acquired using cryptographic schemes.
A mobile station (MS) that attempts to attach to a network is required to perform a cryptographic mutual authentication procedure with the network. The MS and the network use their respective long-term credentials (e.g., a username-password pair, a X.509 certificate, a subscriber identity module (SIM) card, and/or the like) to perform the cryptographic mutual authentication procedure.
The long-term credentials are stored on the MS and a server located in a core network of an operator of the wireless network. Generally, servers which store the long-term credentials are known as an authentication, authorization, and accounting (3A) server. Furthermore, the 3A server that is located at a home network of the MS is known as a home authentication, authorization, and accounting (H3A) server. In the context of a home network, a network access authentication procedure is performed by the MS and the H3A server.
At an end of a successful wireless network access authentication procedure, the H3A server generates a session security context (e.g., a pair of an MS device identifier and an associated cryptographic session key), and transmits the session security context to a server which is located at an access network. The access network denotes a network that the MS attempts to access. The server located at the access network which receives the session security context is called a network access server (NAS). In contrast to the long-term credentials, the session security context is generally short-lived (e.g., 24 hours) and is used for deriving additional cryptographic keys for securing a data communication between the MS and the access network.
The NAS may be a dedicated server which serves a plurality of base stations (BSs) in a deployment, or the NAS may be co-located with each of or a subset of the plurality of BSs.
A network may include zero or more other 3A nodes such as a relay node and a proxy 3A node between the NAS and the H3A server. The 3A nodes operate as a conduit during the network access authentication procedure, and the 3A nodes also relay the session security context from the H3A server to the NAS at an end of a successful network access authentication. Nevertheless, in a wireless network according to the related art, the 3A nodes do not store or manipulate the session security context in any way.
A mutual authentication procedure between the MS and the H3A server may take a relatively long time. A messaging used in the mutual authentication procedure between the MS and the H3A server may incur two or more round-trips between end-points based on a used authentication scheme. For example, in an authentication key agreement (AKA)-based authentication scheme, two round-trips may be performed. In contrast, in a transport layer security (TLS)-based authentication scheme, even more than ten round-trips may be performed if large certificate chains are used. Each round-trip between MSs may vary between tens of milliseconds and hundreds of milliseconds based on a geographic separation between the end points. According to the related art, an intercontinental round-trip latency is generally 500 milliseconds. Overall, a mutual authentication procedure between an MS and an H3A server may take one second or more.
If the round trip latency is encountered only at time of an initial network entry, the round trip latency may be tolerated by a user of the MS. For example, a lengthy connection time after a user gets off an airplane, or after a power-on of an MS is usual. However, if the round trip latency is encountered during a handover from one BS to another BS, a disruption which the round trip latency may cause is problematic. For example, dropped voice calls or an interrupted video streaming may be a noticeable problem for users.
A NAS which serves a plurality of BSs may remedy some of the problems associated with round trip latency. For example, if the MS handovers from one BS to another BS under the same NAS, an MS-H3A authentication does not need to be repeated. For example, a session security context which is acquired by the NAS from the H3A server at an initial authentication may be used for generating a session security context to be used by the MS and a target BS if the MS attempts to handover to the target BS.
Nevertheless, problems resulting from the round trip latency arise again if the MS crosses a border of the NAS and tries to attach to a BS served by another NAS. If the new NAS does not have any session security context stored prior to an arrival of the MS, a new MS-H3A authentication needs to be performed.
Furthermore, there are network architecture models according to which NAS functionality is co-located with the BS. For example, such network architecture models do not include a NAS that serves a plurality of BSs within the access network. Each NAS serves the co-located BS. In this case, each handover requires a new authentication through a new BS/NAS.
A 3A topology in a wireless network according to the related art will be described with reference to FIG. 1.
FIG. 1 schematically illustrates a 3A topology in a wireless network according to the related art.
Referring to FIG. 1, an area which is indicated with a dotted line denotes an access network 3A server (N3A) domain, and each N3A domain includes a plurality of BSs and one N3A.
Referring to FIG. 1, if an MS (not shown in FIG. 1) tries to attach to a BS2, the MS is authenticated. A signal related to an authentication for the MS traverses the BS2, an NA3#1 (N3A1), an N3A6, an N3A10, a visited network 3A server#1 (V3A1), and an H3A server. At an end of a successful access network authentication, only the H3A server and the BS2hold a session security context. For example, none of intermediary nodes between the BS2and the H3A server retain any security context. As a result, if the MS tries to attach to another BS in the same N3A area as the BS2, the MS needs to be re-authenticated. A handover to other areas such as a handover to an area of a BS6 also requires a new authentication.
Cryptographic keys used for a session security context form a key hierarchy. In this point, if an old key has been used in derivation of a letter key, the old key is a parent of another key. Here, consider a key that is shared between the MS and the H3A server. A key which is shared between the MS and the H3A server may be a key of long-term credentials, or a session key which is generated at an end of a successful authentication (e.g., a master session key (MSK), or an extended master session key (EMSK) of an extensible authentication protocol (EAP)).
A 3A topology in a wireless network according to the related art has been described with reference to FIG. 1, and a legacy key hierarchy structure in a wireless network according to the related art will be described with reference to FIG. 2.
FIG. 2 schematically illustrates a legacy key hierarchy structure in a wireless network according to the related art.
Referring to FIG. 2, a key which is shared between an MS and an H3A server is expressed as “M”. A key M.1 as a child key of the key which is shared between the MS and the H3A server M is derived using a one-way keyed hash function such as HMAC-SHA256. The H3A server provides the key M.1 to a NAS. Meanwhile, because the key M is also known to the MS, the MS may derive the key M.1. Accordingly, the key M.1 becomes a shared secret key between the MS and the NAS. If the NAS receives the key M.1, the NAS may generate a key M.1.1 as a child key of the key M.1, and provide the key M.1.1 to a given BS. The MS generates the same key (e.g., the key M.1.1) as the child key of the key M.1, and the key M.1.1 becomes a shared secret key between the MS and the BS. For example, a key hierarchy in FIG. 2 denotes a key hierarchy which is formed by the key M, the key M.1, and the key M.1.1.
A legacy key hierarchy according to which a depth of a hierarchy is a fixed value (3 in this case) is illustrated in FIG. 2. As described above, 3A nodes between the H3A server and the NAS do not perform a role in a related key hierarchy.
As a result, a key hierarchy has two levels if the NAS is co-located with the BS.
As described above, a case that an unnecessary authentication between an MS and an H3A server is performed may occur in a wireless network according to the related art, so the unnecessary authentication between the MS and the H3A server may result in unnecessary messaging. Further, the unnecessary messaging according to the unnecessary authentication between the MS and the H3A server results in unnecessary round trip latency, so a service quality of a radio network is decreased.
The above information is presented as background information only to assist with an understanding of the present disclosure. No determination has been made, and no assertion is made, as to whether any of the above might be applicable as prior art with regard to the present disclosure.